CVE-2013-6462:

A BDF font file containing a longer than expected string could
overflow the buffer on the stack.  Testing in X servers built with
Stack Protector resulted in an immediate crash when reading a
user-provided specially crafted font.

Bump PKGREVISION.

3 files changed, 99 insertions, 2 deletions

diff --git a/x11/libXfont/Makefile b/x11/libXfont/Makefile
index d5e7c5d9772..0251e58ffde 100644
--- a/x11/libXfont/Makefile
+++ b/x11/libXfont/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.28 2013/07/22 06:34:53 wiz Exp $
+# $NetBSD: Makefile,v 1.29 2014/01/07 07:39:49 wiz Exp $
 
 DISTNAME=		libXfont-1.4.6
+PKGREVISION=		1
 CATEGORIES=		x11 devel fonts
 MASTER_SITES=		${MASTER_SITE_XORG:=lib/}
 EXTRACT_SUFX=		.tar.bz2
diff --git a/x11/libXfont/distinfo b/x11/libXfont/distinfo
index 457780159a3..ae24dc5abee 100644
--- a/x11/libXfont/distinfo
+++ b/x11/libXfont/distinfo
@@ -1,5 +1,6 @@
-$NetBSD: distinfo,v 1.19 2013/07/22 06:34:53 wiz Exp $
+$NetBSD: distinfo,v 1.20 2014/01/07 07:39:49 wiz Exp $
 
 SHA1 (libXfont-1.4.6.tar.bz2) = 356512420fa8573a541450b957526dfd151b4870
 RMD160 (libXfont-1.4.6.tar.bz2) = 6c284e2d50638753e43f7dae09a5d4b80c660920
 Size (libXfont-1.4.6.tar.bz2) = 489067 bytes
+SHA1 (patch-src_bitmap_bdfread.c) = 199f221e01faf2393212452d0180788c0a4ffaff
diff --git a/x11/libXfont/patches/patch-src_bitmap_bdfread.c b/x11/libXfont/patches/patch-src_bitmap_bdfread.c
new file mode 100644
index 00000000000..2d9792e752a
--- /dev/null
+++ b/x11/libXfont/patches/patch-src_bitmap_bdfread.c
@@ -0,0 +1,95 @@
+$NetBSD: patch-src_bitmap_bdfread.c,v 1.1 2014/01/07 07:39:49 wiz Exp $
+
+From aeabb3efa6905e11c479e2e5319f2b6b3ab22009 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Mon, 23 Dec 2013 18:34:02 -0800
+Subject: [PATCH:libXfont 1/2] CVE-2013-XXXX: unlimited sscanf can overflow
+ stack buffer in bdfReadCharacters()
+
+Fixes cppcheck warning:
+ [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
+  scanf without field width limits can crash with huge input data.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+---
+ src/bitmap/bdfread.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+From f8b21df399fbedd08da88752181b8a290a38d890 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Mon, 23 Dec 2013 19:01:11 -0800
+Subject: [PATCH:libXfont 2/2] Limit additional sscanf strings to fit buffer
+ sizes
+
+None of these could currently result in buffer overflow, as the input
+and output buffers were the same size, but adding limits helps ensure
+we keep it that way, if we ever resize any of these in the future.
+
+Fixes cppcheck warnings:
+ [lib/libXfont/src/bitmap/bdfread.c:547]: (warning)
+  scanf without field width limits can crash with huge input data.
+ [lib/libXfont/src/bitmap/bdfread.c:553]: (warning)
+  scanf without field width limits can crash with huge input data.
+ [lib/libXfont/src/bitmap/bdfread.c:636]: (warning)
+  scanf without field width limits can crash with huge input data.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+---
+ src/bitmap/bdfread.c |   14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- src/bitmap/bdfread.c.orig	2013-07-21 23:54:01.000000000 +0000
++++ src/bitmap/bdfread.c
+@@ -69,6 +69,7 @@ from The Open Group.
+ #define INDICES 256
+ #define MAXENCODING 0xFFFF
+ #define BDFLINELEN  1024
++#define BDFLINESTR  "%1023s" /* scanf specifier to read a BDFLINELEN string */
+ 
+ static Bool bdfPadToTerminal(FontPtr pFont);
+ extern int  bdfFileLineNum;
+@@ -338,7 +339,7 @@ bdfReadCharacters(FontFilePtr file, Font
+ 	char        charName[100];
+ 	int         ignore;
+ 
+-	if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
++	if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
+ 	    bdfError("bad character name in BDF file\n");
+ 	    goto BAILOUT;	/* bottom of function, free and return error */
+ 	}
+@@ -544,13 +545,18 @@ bdfReadHeader(FontFilePtr file, bdfFileS
+     unsigned char        lineBuf[BDFLINELEN];
+ 
+     line = bdfGetLine(file, lineBuf, BDFLINELEN);
+-    if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
++    if (!line ||
++        sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
+ 	    !bdfStrEqual(namebuf, "2.1")) {
+ 	bdfError("bad 'STARTFONT'\n");
+ 	return (FALSE);
+     }
+     line = bdfGetLine(file, lineBuf, BDFLINELEN);
+-    if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
++#if MAXFONTNAMELEN != 1024
++# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
++#endif
++    if (!line ||
++        sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
+ 	bdfError("bad 'FONT'\n");
+ 	return (FALSE);
+     }
+@@ -633,7 +639,9 @@ bdfReadProperties(FontFilePtr file, Font
+ 	while (*line && isspace(*line))
+ 	    line++;
+ 
+-	switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
++	switch (sscanf((char *) line,
++                       BDFLINESTR BDFLINESTR BDFLINESTR,
++                       namebuf, secondbuf, thirdbuf)) {
+ 	default:
+ 	    bdfError("missing '%s' parameter value\n", namebuf);
+ 	    goto BAILOUT;